GVHD : TS.

Phm Vn Tnh

10/1/2009

IDS Snort

Hong Tin Long Ng Trn Khnh Chu Nguyn Ngc Thm V H Tin Nguyn Minh Tin

10/1/2009

IDS Snort

Phn I : IDS
Khi nim, phn loi. Kin trc Trin khai.

Phn II : Snort.
Gii thiu. Ci t. Snort rule.

Phn III : Demo

10/1/2009 IDS Snort 3

 L mt h thng (phn mm, phn cng, hoc kt hp c hai) pht hin cc hnh vi xm nhp bt hp pht vo mng. Pht hin cc hnh ng trong tin trnh tn cng (FootPrinting, Scanning, Sniffer), cung cp thng tin nhn bit v a ra cnh bo. K thut s dng trong IDS c th l : signature hoc anomaly-based , cng c th kt hp c hai.
10/1/2009 IDS Snort 4

 Ci t nh mt agent trn mt host c th. Phn tch log ca h iu hnh hoc cc ng dng so snh cc s kin vi c s d liu pht hin cc vi phm v bo mt v a ra cnh bo. Nu c vi phm HIDS ghi nhn li cc hnh ng , a ra cnh bo, v c th ngng hnh ng li trc khi n xy ra. HIDS c th dng theo di log (log monitors), gim st tnh ton vn (intergrity monitors), pht hin xm nhp mc kernel (kernel module)
10/1/2009 IDS Snort 5

 Dng bt cc gi tin trong mi trng mng, so snh gia d liu thu thp c vi c s d liu nhm pht hin cc du hiu tn cng. Khi c tn cng NIDS s log cc gi tin vo c s d liu, cnh bo hoc a vo Firewall.

10/1/2009

IDS Snort

Host IDS - HIDS

HIDS ch quan st cc host , h iu hnh, hot ng ca ng dng (thng lm nhng cng vic nh phn tch log, kim tra tnh ton vn)
Ch pht hin nhng cuc tn cng thnh cng.

Network - NIDS
NIDS nhn ton cnh lung d liu trn mng (NIDS thng c coi nh l sniffer)
NIDS pht hin nhng cuc tn cng tim nng.

Hot ng hiu qu trong nhng mi Rt kh hot ng trong nhng mi trng chuyn mch, m ha, tc cao. trng ny.

10/1/2009

IDS Snort

PREPROCESSORS

DETECTION ENGINE
SENSOR

ALERT SYSTEMS
OUTPUT LOGGING SYSTEMS
10/1/2009 IDS Snort 8

10/1/2009

IDS Snort

10/1/2009

IDS Snort

10

10/1/2009

IDS Snort

11

10/1/2009

IDS Snort

12

10/1/2009

IDS Snort

13

10/1/2009

IDS Snort

14

 H thng IDS (signature-based) cn mt c s d liu c sn v cc kiu tn cng nhn bit cc cuc tn cng c th xy ra, da vo du hiu nhn bit no (signatures) cp nht signatures mi. Bn thn IDS khng chng li cc cuc tn cng, hay ngn chn qu trnh khai thc li, m n ch d tm v a ra cnh bo. t IDS u trong h thng mng mang li hiu qu cao nht ????
10/1/2009 IDS Snort 15

10/1/2009

IDS Snort

16

IDS

Local Network

Internet

Chin lc trin khai IDS Firewall ph thuc vo chnh IDS sch bo mt v ti nguyn cn bo v. Cng nhiu IDS th ng ngha vi vic h thng chm i v chi ph bo tr s Router tng ln.

Local Network

10/1/2009

IDS Snort

17

10/1/2009

IDS Snort

18

 Snort l mt IDS kiu signature based. Chy c trn c Windows v Linux. Snort c cc tp lut lu tr trong cc file text, cc lut c nhm thnh cc loi khc nhau v c cha trong nhng file ring cho tng nhm. Cc file ny c ch ra trong file cu hnh snort.conf . Snort s c cc lut lc khi ng v xy dng mt cu trc d liu hoc cc chui p dng cc lut ln d liu thu thp c.
10/1/2009 IDS Snort 19

 Snort c cung cp 1 tp hp phong ph cc lut c nh ngha trc, tuy nhin ngi dng c th t nh ngha v a thm cc lut mi hoc loi b mt s lut khng cn thit. Snort l stateful IDS, n c th sp xp v ghi nhn cc cuc tn cng da trn phn on TCP. Snort c th pht hin c nhiu loi xm nhp nh : buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts
10/1/2009 IDS Snort 20

 Snort c th ci t 2 ch l inline hoc passive. Inline: Snort tch hp vi tng la kch hot tng la kha hay drop hot cc hnh ng khc nhm ngn chn cuc tn cng m n pht hin. Passive: Snort ch pht hin xm nhp, nghi log v cnh bo.
10/1/2009 IDS Snort 21

Apache PHP My Sql BASE Libpcap Libnet Perl Pear Snort

IDS Snort 22

10/1/2009

 S dng rpm qa | grep <tn gi> kim tra xem gi ci t cha. S dng : yum install <tn gi> ci t nhng gi cn thiu. i vi nhng gi .rpm : rpm ivh <tn gi .rpm>
10/1/2009 IDS Snort 23

 S dng : wget <url> download cc gi ci t t mt trang web. i vi nhng gi .tar.gz : tar xvzf <tn gi.tar.gz> cd <tn gi> ./configure [option] make && make install
10/1/2009 IDS Snort 24

 Mc nh ci sn, s dng : rpm qa | grep http httpd-manual-2.2.11-2.fc10.i386 httpd-tools-2.2.11-2.fc10.i386 httpunit-1.6.2-2.fc10.noarch httpd-2.2.11-2.fc10.i386 mod_ssl-2.2.11-2.fc10.i386
10/1/2009 IDS Snort 25

 Mc nh ci sn: rpm qa | grep mysql mysql-5.0.77-1.fc10.i386 mysql-server-5.0.77-1.fc10.i386 mysql-devel-5.0.77-1.fc10.i386 mysql-libs-5.0.77-1.fc10.i386 php-mysql-5.2.6-5.i386

10/1/2009 IDS Snort 26

 Mc nh c ci sn:
rpm qa | grep php

php-5.2.6-5.i386 php-devel-5.2.6-5.i386 php-mysql-5.2.6-5.i386 php-pdo-5.2.6-5.i386 php-ldap-5.2.6-5.i386 php-common-5.2.6-5.i386 php-pear-1.7.2-2.fc10.noarch php-gd-5.2.6-5.i386 php-cli-5.2.6-5.i386

IDS Snort 27

10/1/2009

 Ngoi ra cn cn c prel ( ci sn), libpcap, libnet. Bn nn ci t source. S dng lnh: wget <url> V d :
wget http://ftp.gnu.org/gnu/bison/bison-2.4.1.tar.gz

Sau ci nh mt gi .tar.gz.

10/1/2009

IDS Snort

28

 Nhng gi trn l ti thiu phi c. Nu thiu bt k gi no dng lnh : yum install <tn gi> ci thm vo. Start apache v mysql ln: service httpd start service mysqld start
10/1/2009 IDS Snort 29

 Download :
snort-2.8.x.x.tar.gz snortrules-2.8.tar.gz T trang http://www/snort.org

Lu : thng trong qu trnh ci snort s gp li libipq.h li ny lin quan n iptables do bin dch snort ch inline. Khi , ci thm iptables-devel, khi ng li dch v, ok.
10/1/2009 IDS Snort 30

#tar xvzf snort-2.8.5.1.tar.gz #cd snort-2.8.5.1 #./configure --with-mysql --enable-dynamic-plugin --enable-inline #make #make install S dng ./configure --help xem cc ty chn khc ca snort.
10/1/2009 IDS Snort 31

 To th mc snort trong /etc #mkdir /etc/snort #mkdir /etc/snort/rules Copy nhng file cu hnh ca snort vo th mc va to: #cd /usr/local/snort-2.8.5.1/etc # cp * /etc/snort
10/1/2009 IDS Snort 32

 Gii nn snortrule-2.8.tar.gz #tar xvzf snortrule-2.8.tar.gz #cd rules #cp * /etc/snort/rules/ To symbolic link cho snort #ln s /usr/local/bin/snort /usr/sbin/snort

10/1/2009

IDS Snort

33

 snort chy nh mt dch v chng ta cn user, usergroup cho snort: #groupadd snort #useradd g snort snort

10/1/2009

IDS Snort

34

 To v set quyn ch nhn, quyn thc thi ca snort cho file log. #mkdir/var/log/snort #chown R snort:snort /var/log/snort #chown 664 /var/log/snort

10/1/2009

IDS Snort

35

#vim /etc/snort/snort.conf Tm n dng:

var RULE_PATH ../rules sa li thnh. var RULE_PATH /etc/snort/rules y l th mc cha tp lut. Ch ra output database database lu tr nhng log output database: log, mysql, user=snort, password = long dbname=snort host=localhost
10/1/2009 IDS Snort 36

#cd /usr/local/snort-2.8.4.1/rpm/ # cp snortd /etc/init.d/ # cp snort.sysconfig /etc/sysconfig/snort # chmod 755 /etc/init.d/snortd # chkconfig snortd on # chkconfig --add /etc/init.d/snortd # chkconfig snortd on

10/1/2009

IDS Snort

37

#mysql u root >set password root@ localhost = password( 241288); >flush privileges; >use mysql; >CREATE USER snort@ localhost IDENTIFIED BY long; >flush privileges;
10/1/2009 IDS Snort 38

> create database snort; > GRANT CREATE, INSERT, SELECT, DELETE, UPDATE ON snort.* to snort@localhost; # cd /usr/local/snort-2.8.5.1/schemas/ # mysql -u root -p < create_mysql snort Test: #mysql u root p >use snort; >show tables;
10/1/2009 IDS Snort 39

 Do web sevrer v php c ci t sn, chng ta ch cn ci thm pear cho php

# pear install Image_Graph-alpha Image_Canvas-alpha Image_Color Numbers_Roman

Ci addob: # wget http://nchc.dl.sourceforge.net/sourceforge/

adodb/adodb508a.tgz # cp adodb508a.tgz /var/www/html/ # cd /var/www/html/ # tar -xvzf adodb508a.tgz

10/1/2009 IDS Snort 40

# wget http://nchc.dl.sourceforge.net/sourceforge/ secureideas/base-1.4.2.tar.gz # cp base-1.4.2.tar.gz /var/www/html/ # cd /var/www/html/ #tar -xzvf base-1.4.2.tar.gz # cp base_conf.php.dist base_conf.php

10/1/2009

IDS Snort

41

#vim base_conf.php $DBlib_path = '/var/www/html/adodb5'; $DBtype = 'mysql'; $alert_dbname = 'snort'; $alert_host = 'localhost'; $alert_port = ''; $alert_user = 'snort'; $alert_password = long';
10/1/2009 IDS Snort 42

 http://127.0.0.1/base-1.4.2 Ch ng dn n th vin adodb Khai bo cc gi tr cho co s d liu lu file log. Nh l : Database Name, Database Host, Database User, Database Password l username v password truy cp c s d liu. To BASE AG (to c s d liu cho BASE)
10/1/2009 IDS Snort 43

10/1/2009

IDS Snort

44

10/1/2009

IDS Snort

45

10/1/2009

IDS Snort

46

10/1/2009

IDS Snort

47

10/1/2009

IDS Snort

48

 #snort A : Ci t ch cnh bo (altertmode). C nhiu mode h tr nh : fast, full, console, test or none. Dng mode console in ra mn hnh v ghi cc file log. Fast mode dng trong ch tc ng truyn cao.
10/1/2009 IDS Snort 49

 #snort v : bt ch sniffer. In ton b gi d liu bt c trn console (hin th cc header IP,TCP/UDP/ICMP). Card mng phi ch promiscuous mode . #snort d: hin th d liu layer Application #snort e: hin th thng tin v header layer 2. #snort vde: cc chui thp lc phn hin th nhiu d liu hn. C a ch MAC v a ch IP. vde cung cp nhiu thng tin nht.
10/1/2009 IDS Snort 50

 Lu thng tin xung file:

snort dev l [filename]

Lu thng tin dng binary:

snort l [filename] -b

c ngc thng tin t file binary:

snort dv r [filename] snort dv r [filename] icmp

 #snort l /var/log/Snort : ch nh th mc lu file log. Qu trnh lu tr theo kiu phn cp. Mi mt a ch s c mt th mc v nhng g lin quan n a ch s c lu trong y. Snort lu cc gi tin thnh cc file ASCII, vi tn file c to ra t giao thc v s cng. #snort b: Log gi tin dng tcpdump. Ghi log rt nhanh
10/1/2009 IDS Snort 52

 #snort c :Config-file ,ch nh file cu no mun s dng. #snort D :Chy Snort ch background. #snort I :Interface, Ch nh interface no Snort s lng nghe. #snort s :Gi alert message n syslog. #snort T : Kim tra v bo co v cu hnh hin ti ca snort. #snort y : Thm nm v ngy gi vo thng ip cnh bo v file log.
10/1/2009 IDS Snort 53

 Nhn gi v x l n trc khi rule p dng ln gi (input plug_in) C php: preprocessor <preprocessor_name>[: <configuration_options>] VD: preprocessor frag2 preprocessor stream4: detect_scans

 Cu hnh: output <output_module_name>[: <configuration_options>] VD : output database: alert, mysql, user=rr password=boota \ dbname=snort host=localhost

 Snort da vo cc tp lut pht hin tn cng. Cc lut thng c lu tr trong file snort.conf. C th s dng nhiu file bng cch thm ng dn n cc file lut ny vo file cu hnh chnh. Mi lut c vit trn mt dng. Mt rule c th pht hin nhiu loi xm nhp.
10/1/2009 IDS Snort 56

 Gm 2 phn rule header, rule option. Rule header : cha thng tin v hnh ng m lut s thc hin. Tiu chun ca vic so snh lut trn mt gi tin. Rule option: cha thng ip cnh bo. V thng tin thng tin v phn no ca gi tin c s dng to ra cnh bo.
Rule Header
10/1/2009 IDS Snort

Rule Option
57

action protocol address port \ direction address port \ (option1 : <value1> ;option2: <value2>;..)

Lu : du \ y ngha l xung hng. Mi lut nn vit trong mt dng.

10/1/2009

IDS Snort

58

Action Protocol Address

Port

Direction Address

Port

Action : cc nh kiu hnh ng khi gi tin tha cc iu kin. Thng l to cnh bo v ghi log (alert, log). nu ci snort ch inline c th chn drop iptables hy gi d liu.

10/1/2009

IDS Snort

59

 Protocol : snort c th phn tch c giao thc bao gm : TCP, UDP, ICMP,IP. Address : a ch ngun, ch. Address c th ca mt host, nhiu host hoc a ch mng. Direction: xc nh a ch v cng ca ngun v ch n ( -> , <-,< > ). Port: ch dng trong giao thc TCP, UDP xc nh cng ngn v ch ca mt gi tin m lut c p dng.
10/1/2009 IDS Snort 60

 Theo sau rule header, c t trong ( ), cc option ngn cch nhau ; Mt action ch c thc hin khi tt c option u tha. Mt option bao gm t kha v tham s. Cc tham s phn bit nhau : Nu c nhiu option chng s AND li vi nhau.
10/1/2009 IDS Snort 61

 classtypes: <name>; phn loi lut cho mt kiu tn cng c th. Kt hp vi file /etc/snort/classification.config config classification: name,description,priority
Name l tn c s dng phn loi. Tn c s dng vi t kha classtype trong vit lut. Description : m t ngn v kiu phn loi. Priority : th t u tin mc nh cho s phn loi, c th thay i c bng t kha priority trong Rule Option.
10/1/2009 IDS Snort 62

 ack: <number> ; thng c dng bit c ang b qut cng hay khng. Ch c ngha khi c ack trong TCP header c bt. msg: <message>; ghi thm chui k t vo log v cnh bo. Thng ip trong . content: < straight text>; or content: <hex data >; Tm ra ch k (signature) trong header ca gi d liu.
10/1/2009 IDS Snort 63

 offset: < value>; dng vi content cho bit bt u tm kim t u. depth: < value>; dng vi content xc nh v tr kt thc ca on d liu cn so snh vi v tr ban u. dsize: [<|>|=] < number>; tm chiu di ca mt gi tin. (cc tn cng buffer overflows)

10/1/2009

IDS Snort

64

 rev: < revision integer>; cho bit s phin bn ca snort. priority: < value>; t kha priority gn u tin cho mt lut. nocase: dng kt hp vi content, tm ni dung m khng phn bit hoa thng. Xem file nh km bit cc ty chn khc.

10/1/2009

IDS Snort

65

 Lut c t cui file snort.conf. c th to ra nhiu lut s dng cc bin nh ngha trong file ny. C th nh ngha file .rules. Trong file snort.conf dng include ch n file ny. # include $RULE_PATH/web-attacks.rules C rt nhiu lut c nh ngha sn cha trong th mc /etc/snort/rules.
10/1/2009 IDS Snort 66

 alert tcp192.168.1.0/24 23-> any any (content: confidential; msg: Detect confidential;) bt cc gi d liu n t a ch ngun thuc mng 192.168.1.0 /24v cng ngun 23, ti tt c cc a ch trong mng ch v tt c cc cng ch. Tm signature trong header ca gi d liu c ni dung confidential. Giao thc s dng l tcp.
10/1/2009 IDS Snort 67

 alert tcp any any -> 192.168.1.0/24 80 \ (flags: A; ack: 0; msg: TCP ping detected;) Pht hin ai s dng Nmap qut cng. Vi gi d liu gi i c trng ack = 0, gi ti cng 80 bng giao thc tcp. T kha flags c s dng tm c c thit lp trong header TCP ca gi tin.

10/1/2009

IDS Snort

68

 config classification: denial-of-service,Detection of a Denial of Service Attack,2 alert udp any any -> 192.168.1.0/24 6838 (msg: Dos;content: server ;classtype: denial-ofservice;) alert udp any any -> 192.168.1.0/24 6838 (msg : Dos;content: server;classtype: denial-ofservice;priority: 1;)
10/1/2009 IDS Snort 69

 alert tcp 192.168.1.0/24 any -> any any (content: HTTP; offset: 4; depth: 40; msg: HTTP matched;) Tm t HTTP trong header TCP ca gi d liu n t v tr th 4 n v tr 40. Tha th xut thng bo HTTP matched.

10/1/2009

IDS Snort

70

 Smurf attack Jolt attack. Teardrop attack.

10/1/2009

IDS Snort

71

Alert icmp $EXTERNAL_NET any -> 192.168.77.129 any (msg: Demo smurf attack; sid:1000010;dsize>32;itype:0; icmp_seq:0; icmp_id:0;)

alert ip $EXTERNAL_NET any -> 192.168.77.129 any (msg:Demo DOS Jolt attack"; dsize:408; fragbits:M;sid:268;rev:4; )

 alert udp $EXTERNAL_NET any -> 192.168.77.129 any (msg:Demo DOS Teardrop attack"; fragbits:M; id:242;sid:270;rev:6;)

Managing security with Sornt and IDS tool Snort Cookbook (2005) Snort2.1IntrusionDetectionSecondEdition snort.forum.org securityfocus.com

10/1/2009

IDS Snort

75